Security Research Center Policy

In today’s world we have become more and more connected to Internet services, software, and hardware devices.

We share our information with our banks, medical institutions, and employers. We share our information with smartphones, smart TVs, smart watches, and other “smart things” in our homes, which usually retain our information in the remote databases outside our control.
These technologies are deeply integrated into our lives and, in many cases, we have become dependent on them, making us vulnerable when the technology fails or our information is not properly protected.

Our research

We conduct security research to locate any data exposures in the databases of various companies, organisations, and institutions.

Typically we use the Shodan search engine to locate unprotected Internet-connected devices. This search engine is publicly accessible, and allows researchers to identify devices and databases that are connected to the open Internet without any password protection or other technological barriers to safeguard the data stored in them. We do not crack passwords or authentication processes or use any other hacking tricks.

Once we discover a publicly exposed database, we report our findings according to the following guidelines:

When appropriate, we provide details of the data exposure to the company, organisation, or institution that failed to protect itself.

We do not modify the data we found.

We allow entities time to remedy the data exposure prior to making any details available publicly that would otherwise cause further risk.

We do not transfer any data to any third parties.

Why do we do this?

Here, in the Security Research Center, we do our best to:

Help businesses build better security by identifying data leaks, and

Raise public awareness to the dangers related to data breaches and security risks in the connected world.

Popular articles

Louisiana School for the Visually Impaired: DATA SECURED!

Protecting the personal data of children is always important, but what happens when a school or government related institution leaks that data? A child’s data is extremely vulnerable because they often have no choice in who stores or collects their data. As online technology and digital records become the modern standard it is more important than ever to protect the personal data and medical records of children. Having your data leaked as a child could follow you around for the rest of your life and this is why data protection must be taken serious.

The MacKeeper Security Research Center found that Louisiana School for the Visually Impaired was running a leaky instance of the Rsync protocol. This protocol is widely used for remote synchronization between computers and in most cases it is protected from external access. But there are still many “live” examples when Rsync is left without any password authentication.

Due to that particular breach we were able to access a virtual drive of institution which contained a lot of internal and sensitive information. The data included highly sensitive information such as the children's State ID Number, birth dates, full names, photos, accommodation details, medical impairment comments etc. And yes, this information was available online without any password and login, so basically anyone with an Internet connection could have download it.

Among other data there was a file that contained a total of 3,647 records of 200 children from the Louisiana School for the Visually Impaired, a K-12 state-operated school located in Baton Rouge, Louisiana, United States. The school has both blind and other visually impaired students.

In September 2016 The MacKeeper Security Research Center discovered a database of 2.9 million voters from Louisiana. Upon notifying the state about the data breach we worked with Mr. Dustin Glover the Chief Information Security Officer from the Office of Technology Services for the State of Louisiana who was able to help us secure the database within a matter of hours. We would like thank Mr. Glover once again for his fast and professional assistance in identifying who is responsible for managing this database and ensuring that the children’s data was urgently secured.

***

Attention - Portions of this article may be used for publication if properly referenced and credit is given to MacKeeper Security Research Center.